Laptop BIOS password recovery using a simple dongle

In his line of work, Instructables user [Harrymatic] sees a lot of Toshiba laptops come across his desk, some of which are protected with a BIOS password. Typically, in order to make it past the BIOS lockout and get access to the computer, he would have to open the laptop case and short the CMOS reset pins or pull the CMOS battery. The process is quite tedious, so he prefers to use a simpler method, a parallel loopback plug.

The plug itself is pretty easy to build. After soldering a handful of wires to the back of a standard male D-sub 25 connector in the arrangement shown in his tutorial, he was good to go. When a laptop is powered on with the plug inserted, the BIOS password is cleared, and the computer can be used as normal.

It should be said that he is only positive that this works with the specific Toshiba laptop models he lists in his writeup. It would be interesting to see this tried with other laptop brands to see if they respond in the same way.
Since no laptops are manufactured with parallel ports these days, do you have some tips or tricks for recovering laptop BIOS passwords? Be sure to share them with us in the comments.

Used to work, about 6 years ago :)) . Nowadays most bios pw (challenge/ response ) are insanely easy to remove via keygen
or failing that some hw method, eeprom on the board itself

most time i only need bios to boot from cd/dvd and re-install, usually on encrypted boot in which case
sometimes it’s easier to take the hdd out, ofc it will fall
to 2nd,3rd boot option (cd/dvd), erase partitions + mbr through linux, put hdd back in, cd in then restart it will fail to boot from hdd and just start up cd, obvious but i’ve seen plenty of people wnot think this

Doesn’t work on any current Toshiba model (current being newer than ~2002). It’d be much more interesting if someone found out how to do this to the Satellite Pro U200 I have lying around useless here that I got from a relative once he locked himself out by not knowing the password and disabling the fingerprint reader.

Toshiba’s from ~2-5 years can randomly get BIOS passwords if the BIOS wasn’t updated. Usually clearing it involves unplugging the AC adapter and battery, opening the memory bay, removing the memory and then jumping a solder pad for about 15-30 seconds. It varies for each series, but J1 open is a pretty common label. You may have to peel back plastic film to get to it too. If you do succeed in removing a random one, make sure you grab the newest BIOS update so it doesn’t happen again. I’d guess I’ve taken off 10-15 in the past few years with this method.

@3-R4Z0R
If you want to take a picture from inside the memory compartment with the memory removed I can maybe tell you which ones to try. Often it’s will look like a T stuck inside of a U or two triangles forming a diamond. Or if you can give me the model number (All U200s should be the same, but just in case), I can try to get the info from a Toshiba maintenance manual.

I had an old toshiba laptop with a password from a relative. the loopback connector didn’t work, killing cmos batteries didnt work, and I ended up guessing the password with the power of human nature and social engineering.

A more useful look at this would be from a previous article http://hackaday.com/2010/10/07/bios-password-cracking/ . A guy by the name of Dogbert has a blog where he points out flaws in the password and bios passwords that companies release with their computers. He releases scripts to calculate the passwords from the checksums given by the bios. It takes an extra computer and python, but I think it would be a little easier to come by then hoping the computer is a toshiba with an lpt port.

Apple/Mac Laptops
Depends on the model, but it generally comes down to:
do a pram+nvram reset (google this)
if you can’t, and there’s a boot/OF/EFI password, remove the ram (change the modules out for a different quantity of memory)
also, check the hard disk for any efi stuff and remove that, the mac may boot that first

Newer Dell Lattitude laptops are even worse. I couldn’t find the bios or CMOS battery. Everywhere I’ve been says you have to call Dell for an unlock code. They’ll only provide it if you know the exact name of the person who originally purchased the laptop.

I re-sold these in the early 90’s on ebay for the old Toshiba Satellite models. took 5 min to make them by hand and sold for like $60 back then. I doubt there are too many older laptops around that this would work on now. Can I post that trick where you add a notch to a single sided floppy disk to make it double sided?

As already said this is very old news, I made one about 3 years ago with some innards for cat5e when a customer came to my last place of work with a laptop they couldn’t access and a quick google revealed that to be the easiest fix.

Here’s a real old one for Toshiba laptops that will probably work if it has a floppy drive. Take a floppy disk and hex edit it so that the the first five bytes of the second sector are 4B 45 59 00 00. Boot with the floppy in the drive and you will be able to bypass the password and set a new one.

I used to work for a warranty repair center in the late 90s. I was Toshiba certified, the dongle came as a repair kit for technicians. We used to charge 50 to 70 to reset it as it was not covered under warranty. Good old days, my first computer job.

i just pop it in the microwave for 45 seconds. the microwaves erase the password.
i like when the CMOS battery has its own little access panel, but you don’t see that very often nowadays. I haven’t, anyway.. BIOS passwords p*ss me off because i can’t even boot from USB without it, if it’s set the annoying way. of course, if you really want to protect your data, do that, plus build your computer inside a safe and weld it shut.. or, it’s a safe, just lock it i guess. and bolt it down. and laser tripwires, which text you if tripped, and cameras. overkill!

I wrote a small bit of C code for my Teensy that’ll brute force a bios password, but it’s incredibly slow and only works sometimes (if at all). Not as impressive as this dongle hack, but if you want in to a machine without leaving any traces, and you have plenty of time to kill…it’s an option.

HaD had an article a while back, it featured this blog: http://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html. It’s quite interesting and he has a couple of nice scripts available free of charge. I used a modified version of his script to decode the bios and hdd password, which were luckily set to the same value. The script actually just calculated the hash values from words out of a dictionary, and came up with the right one for the bios password.

I got my hands on a Password protected (bios setup) Acer laptop a few years back, I started out trying to reset bios by shorting pins and removing battery, but to no use. However I found that the acer bios flash program had some parameters to use when flashing, these were not accessible via the default appname.exe /?. I found them by opening the flasutil in a hexeditor, it had a parameter for just what i needed “erase bios passwords”. done and done.

Back in the day when 286’s and 5″ floppy disks were the cutting edge, the “antivirus” solution of our university was to disable said floppy disks (and password the BIOS, of course). Some of us who knew the trick used to be able to sit down at the MS-DOS command prompt then type in and execute ~5 assembly instructions in DEBUG which overwrote the BIOS checksum. At which point the BIOS panicked and readily let us in to enable the floppy drive without a password… ;)

@ganmaoyao: Thanks for that link to the Toshiba version. I haven’t tried it yet (I’m still at university), but it might even work, since any other methods have failed. Maybe this doesn’t work either, since it’s a Satellite Pro U200 that my father’s friend bricked. Supposedly the Pro series are safer than the regular ones.

yeah, i used this trick too back in “the old days” (1998!)
I see that they finally killed Debug on Windows 7, but not the “Save as *.com” in Notepad.

Interestingly many older password protected HDDs can be um, unsecured by simply running a manufacturer’s tool across them which initiates an LLF using the onboard controller.
Takes an hour or so but at least the drive is useable again minus the data.

I have a Toshiba Satallite T30-10s and the bios
was passworded tried loads of suggestions but Nolans suggestion was spot on,to reset takes 1 minute all you have to do is remove the wifi card cover and just by the side of the card (the one with the black and gray wires) is J1 is 2 solder points remove the battery short out the 2 solder points for about 20 seconds put back to gether and hey presto no more password
Cheers Nolan you are a star ***